Commit graph

2136 commits

Author SHA1 Message Date
Akihiro Suda
6743320a12
dockerd-rootless.sh: allow specifying DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER
The default port driver "builtin" might not be always preferrable as it
drops src IP information: https://github.com/containers/libpod/pull/6324

Now the port driver can be changed to "slirp4netns" via the environment
variable `DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER`.

It is still recommended to use the default "builtin" driver.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-06-24 15:43:45 +09:00
Sebastiaan van Stijn
4609153995
Merge pull request #41098 from AkihiroSuda/rootless-safe-fallback
dockerd-rootless-setuptool.sh: use safer XRD on non-systemd hosts
2020-06-22 10:16:40 +02:00
Akihiro Suda
5d97de47ec
dockerd-rootless-setuptool.sh: use safer XRD on non-systemd hosts
`/tmp/docker-$(id -u)` is not a good candidate as `$XDG_RUNTIME_DIR`,
because it might be already created by another user.

The new path is `$HOME/.docker/run`.

Cherry-picked from https://github.com/docker/docker-install/pull/178

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-06-17 12:10:28 +09:00
Cristian Ariza
6fabb93f73 Make script pass shellcheck
Signed-off-by: Cristian Ariza <dev@cristianrz.com>
2020-06-12 17:39:29 +00:00
Brian Goff
07e6b84359
Merge pull request #40950 from AkihiroSuda/dockerd-rootless-setuptool.sh
add dockerd-rootless-setuptool.sh
2020-05-21 11:52:07 -07:00
Tianon Gravi
85dceee7d4
Merge pull request #40914 from cristianrz/40912-fix-curl-options
Fix curl progress flags
2020-05-19 12:10:25 -07:00
Akihiro Suda
c696b95269 add dockerd-rootless-setuptool.sh
Usage: `dockerd-rootless-setuptool.sh install --force` .
See `--help` for further information.

Co-authored-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-05-15 08:46:36 +09:00
Akihiro Suda
c86abee1a4 dockerd-rootless.sh: bump up slirp4netns requirement to v0.4.0
slirp4netns v0.3.X turned out not to work with RootlessKit >= v0.7.1:
https://github.com/rootless-containers/rootlesskit/issues/143

As slirp4netns v0.3.X reached EOL on Mar 31, 2020, RootlessKit is not
going to fix support for slirp4netns v0.3.X.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-05-08 20:50:17 +09:00
cristianrz
7608e42da5 Fix curl progress flags
Signed-off-by: Cristian Ariza <dev@cristianrz.com>
2020-05-06 12:39:28 +01:00
Akihiro Suda
5ca47f5179 rootless: graduate from experimental
Close #40484

Note that the support for cgroup v2 isn't ready for production yet,
regardless to rootful or rootless.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-04-07 00:59:15 +09:00
Sebastiaan van Stijn
3e3cd7b255
Pin busybox to fixed version and verify sha256
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-03 09:55:26 +02:00
Sebastiaan van Stijn
97b742676b
hack/ci/windows.ps1: build busybox from local Dockerfile
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-03 09:32:30 +02:00
Sebastiaan van Stijn
8164f298f9
vendor jhowardmsft/busybox
taken from the 1.1 tag at https://github.com/jhowardmsft/busybox/tree/v1.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-03 09:16:05 +02:00
Akihiro Suda
1ea3a2b7f5 rootless: launch rootlesskit with --propagation=rslave
The propagation was previously set to rprivate and didn't propagate
mounts from the host mount namespace into the daemon's mount namespace.

Further information about --propagation: https://github.com/rootless-containers/rootlesskit/tree/v0.9.1#mount-propagation
RootlessKit changes: https://github.com/rootless-containers/rootlesskit/compare/v0.8.0...v0.9.1

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-07 21:16:29 +09:00
Sebastiaan van Stijn
d339e6d480 Don't disable socket activation when stopping docker service
PartOf deactivates the socket whenever the service get deactivated.
The socket unit however should be active nevertheless, so that the
docker service can be started again through socket activation.

Based on the original patch in upstream moby/moby by Max Harmathy.

Co-authored-by: Max Harmathy <max.harmathy@web.de>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-04 13:19:42 +01:00
Akihiro Suda
3cf82748dd run shfmt
git grep --name-only '^#!' | egrep -v '(vendor|\.go|Jenkinsfile)' | xargs shfmt -w -bn -ci -sr

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-03 12:27:49 +09:00
Akihiro Suda
7af0344f9b
Merge pull request #37470 from harmathy/patch-1
Allow socket activation
2020-03-03 10:48:21 +09:00
Akihiro Suda
9bd1ae024a dockerd-rootless.sh: remove confusing code comment
`--userland-proxy-path` is automatically set by dockerd: e6c1820ef5/cmd/dockerd/config_unix.go (L46)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-01-24 20:14:13 +09:00
Honza Pokorny
5511f45767 Remove vim syntax files
The new canonical place for the vim syntax file is in the upstream vim
tree.  All improvements and patches should be submitted there.

https://github.com/vim/vim/blob/master/runtime/syntax/dockerfile.vim

Signed-off-by: Honza Pokorny <me@honza.ca>
2020-01-14 13:01:18 -04:00
Sebastiaan van Stijn
404d87ec69
AppArmor: add missing rules for running in userns
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-30 16:17:13 +02:00
Sebastiaan van Stijn
e553a03627
AppArmor: remove rules for linkgraph.db SQLite database
Commit 0f9f99500c removed the
use of SQLite for managing container links, and commit
f8119bb7a7 removed the migration
tool, and SQLite dependency.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-26 17:19:21 +02:00
Kir Kolyshkin
7b0e0335bc
Fix some inefassign warnings
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2019-09-18 12:57:29 +02:00
Akihiro Suda
e20b7323fb rootless: harden slirp4netns with mount namespace and seccomp
When slirp4netns v0.4.0+ is used, now slirp4netns is hardened using
mount namespace ("sandbox") and seccomp to mitigate potential
vulnerabilities.

bump up rootlesskit: 2fcff6ceae...791ac8cb20

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-09-02 14:58:58 +09:00
Amit Bakshi
19a3ddf8bb
mkimage-yum.sh: Fix install of additional packages
The mkimage-yum.sh script fails to install additional
packages (passed with -p package-name), because the
package names get quoted twice.

Signed-off-by: Amit Bakshi <ambakshi@gmail.com>
2019-08-17 12:18:58 -07:00
Sebastiaan van Stijn
08191c3b90
Merge pull request #39165 from stafwag/master
Updated mkimage-arch.sh
2019-07-18 00:44:28 +02:00
Staf Wagemakers
0a1947cb9f spaces to tabs
Signed-off-by: Staf Wagemakers <staf@wagemakers.be>
2019-07-17 19:48:13 +02:00
Pascal Bach
78405559cf
Check for BRIDGE_VLAN_FILTERING in overlay section
Overlay networking in docker stack does not work correctly if this option is missing, docker will output the following error:

```
enabling default vlan on bridge br0 failed open /sys/class/net/br0/bridge/default_pvdi: permission denied
```

This because `default_pvdi` does not exist without this option.

Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Simon Ausserlechner <simon.ausserlechner@siemens.com>
2019-07-16 17:32:51 +02:00
Tim
1ba4e69601 shellcheck
https://www.shellcheck.net/
Signed-off-by: Tim <elatllat@gmail.com>
2019-06-04 09:34:39 -04:00
Wiktor Kwapisiewicz
8abf26dbfb
Change docker socket location to /run/docker.sock
This change resolves the following systemd warning:

```
/usr/lib/systemd/system/docker.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/docker.sock → /run/docker.sock; please update the unit file accordingly.
```

Signed-off-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
2019-05-28 23:22:54 +02:00
Akihiro Suda
34cc5c24d0 dockerd-rootless.sh: use exec
Killing the shell script process does not kill the forked process.

This commit switches to `exec` so that the executed process can be
easily killed.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-05-15 20:52:59 +09:00
Staf Wagemakers
74e3edc7d1
Updated mkimage-arch.sh
* reset umask to 022
* introduced PKGREQUIRED
* introduced PKGREMOVE
  - to be able to remove linux etc on Parabola GNU/Linux
* updated PKGIGNORE
  - cryptsetup & device-mapper removed to not break the installation
  - added not required packages
* force link /etc/localtime
* install pacman-mirrorlist

Signed-off-by: Staf Wagemakers <staf@wagemakers.be>
2019-05-01 12:17:04 +02:00
Akihiro Suda
63a66b0eb0 rootless: optional support for lxc-user-nic SUID binary
lxc-user-nic can eliminate slirp overhead but needs /etc/lxc/lxc-usernet to be configured for the current user.

To use lxc-user-nic, $DOCKERD_ROOTLESS_ROOTLESSKIT_NET=lxc-user-nic also needs to be set.

This commit also bumps up RootlessKit from v0.3.0 to v0.4.0:
70e0502f32...e92d5e772e

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-04-25 23:54:30 +09:00
Sebastiaan van Stijn
0ac8cbf747
Merge pull request #39000 from mrueg/openrc-set
openrc: Modernize and sync settings
2019-04-05 19:51:37 +02:00
Tibor Vass
a0d64a3093
Merge pull request #38913 from AkihiroSuda/rootlesskit-docker-proxy
rootless: expose ports automatically
2019-04-02 19:51:15 -07:00
Manuel Rüger
275677e94f openrc: Modernize and sync settings
* Use rc_ulimit for ulimit constraints
* Synchronize ulimit settings to systemd's
* Add support for reload command
* Add support for retry settings for docker stop/restart

Signed-off-by: Manuel Rüger <manuel@rueg.eu>
2019-04-02 15:06:49 +02:00
Ankit Jain
eb13758057 Default to Core group only if no groups specified
Signed-off-by: Ankit Jain <ajatkj@yahoo.co.in>
2019-03-29 20:21:33 +05:30
Ankit Jain
8233910503 mkimage-yum.sh: handle spaces properly & allow mutiple packages & groups
Signed-off-by: Ankit Jain <ajatkj@yahoo.co.in>
2019-03-28 20:47:47 +05:30
Akihiro Suda
f0b405fbda rootless: expose ports automatically
Now `docker run -p` ports can be exposed to the host namespace automatically when `dockerd-rootless.sh` is launched with
`--userland-proxy --userland-proxy-path $(which rootlesskit-docker-proxy)`.
This is akin to how Docker for Mac/Win works with `--userland-proxy-path=/path/to/vpnkit-expose-port`.

The port number on the host namespace needs to be set to >= 1024.
SCTP ports are currently unsupported.

RootlessKit changes: 7bbbc48a6f...ed26714429

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-03-21 02:44:08 +09:00
Noriki Nakamura
57c2228cc1 Add new option to specify tag information
Previously, tag information automatically is added from
/etc/{redhat,system}-release in image (target directory).

But I want to specify any tag informtion when using mkimage-yum.sh.
Because a Linux distribution based RHEL (It's Asianux Server) uses
SPn notation (e.g. SP3) instead of period notaion (e.g. 7.6).

Signed-off-by: Noriki Nakamura <noriki.nakamura@miraclelinux.com>
2019-03-06 07:06:40 +09:00
Michael Hudson-Doyle
cfde9c717f systemd: fix typo in TasksMax comment 2019-02-27 12:49:17 +13:00
Sebastiaan van Stijn
23c763ef1c systemd: set --containerd socket patch to prevent race-condition
containerd is now running as a separate service, and should
no longer be started as a managed child-process of dockerd.

The dockerd service already specifies that it should be started
`After` the containerd.service, but there is still a race
condition, where containerd is started, but its socket is not yet
created.

In that situation, `dockerd` detects that the containerd socket
is missing, and will start a new instance of containerd (as a
managed child-process), which causes live-restore to fail.

This patch explicitly sets the `--containerd` daemon option.
If this option is set, `dockerd` will not start a new instance
of containerd.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-02-11 14:36:48 +01:00
Akihiro Suda
ec87479b7e allow running dockerd in an unprivileged user namespace (rootless mode)
Please refer to `docs/rootless.md`.

TLDR:
 * Make sure `/etc/subuid` and `/etc/subgid` contain the entry for you
 * `dockerd-rootless.sh --experimental`
 * `docker -H unix://$XDG_RUNTIME_DIR/docker.sock run ...`

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-02-04 00:24:27 +09:00
corbin-coleman
d021af7d2d Start docker.service after containerd.service
Signed-off-by: corbin-coleman <corbin.coleman@docker.com>
2019-01-14 23:27:51 +00:00
Mattias Jernberg
8db540370c mkimage: Fix Debian security presence check
Add Location following since security redirects to security-cdn and caused the repository to be added on Debian unstable.

Signed-off-by: Mattias Jernberg <nostrad@gmail.com>
2018-12-05 19:35:17 +01:00
Eli Uriegas
a937bc3825 Add docker.socket requirement for docker.service
Without this the docker.socket would not start by default when starting
the docker.service leading to failures to start.

Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
2018-12-03 19:14:10 +00:00
Eli Uriegas
6821d80881 Add socket activation for RHEL based distributions
Removes the systemd drop-in unit file for socket activation and instead
prefers socket activation by default for both RHEL based and DEBIAN
based distributions.

Socket activation for RHEL based distributions was tested on CentOS 7 and Fedora 28.

Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
2018-11-29 00:47:07 +00:00
Sebastiaan van Stijn
44e1c6ce81
Add CONFIG_IP_VS_PROTO_TCP, CONFIG_IP_VS_PROTO_UDP, IP_NF_TARGET_REDIRECT to check-config.sh
On kernels without this options set, publishing ports for swarm
services does not work, making the published port not accessible
("connection refused")

Thanks to Wenbo Wang for reporting, and Tianon for finding this.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-11-15 11:11:48 +01:00
Eli Uriegas
07c9fef311 Add the docker.socket back in
Re-adds the docker.socket file for debian based distributions.

Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
2018-11-15 00:57:19 +00:00
Mark Jeromin
60ec93f7c2 Fix error handling when go command is missing
Signed-off-by: Mark Jeromin <mark.jeromin@sysfrog.net>
2018-11-04 23:34:03 -05:00
Sebastiaan van Stijn
ce1ee59166
Merge pull request #37589 from danihodovic/update-vim-plugin-readme
README: Update Github url for vim syntax plugin
2018-10-16 14:07:52 +02:00
Valentin Kulesh
0fa3c8c277 Restore Type=notify in Systemd unit
Signed-off-by: Valentin Kulesh <valentin.kulesh@virtuozzo.com>
2018-10-08 21:51:26 +03:00
Eli Uriegas
b19e8d3319 Remove Environment, not needed anymore
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
2018-09-26 18:15:23 +00:00
Tibor Vass
34eede0296 Remove 'docker-' prefix for containerd and runc binaries
This allows to run the daemon in environments that have upstream containerd installed.

Signed-off-by: Tibor Vass <tibor@docker.com>
2018-09-24 21:49:03 +00:00
Eli Uriegas
212521b1e9 Use image artifacts as daemon and dependencies
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
2018-09-21 22:03:21 +00:00
Kir Kolyshkin
14103caff2 systemd/docker.service: fix PATH
Set the PATH to what appears to be the standard on latest Ubuntu (18.04)
and Debian (9), fixing the following two issues:

1. PATH did not contain /bin (leading to ContainerTop/ps not working
on newer distros, among the other things).

2. $PATH can't be specified in Environment directives in .service files.

While at it, also:

3. Remove the comment about RPM as it looks misleading on deb-based
systems.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-09-20 10:19:35 -07:00
Eli Uriegas
ea996b88c1 Add /usr/sbin to our path variable for systemd
iptables is sometimes placed in `/usr/sbin`

Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
2018-09-17 10:16:37 -07:00
Eli Uriegas
09e8b411dc Remove offline installer to install shim-process
Removes the need for the offline installer to install the shim process
and instead installs the shim process as part of the packaging.

May be easier in the future to just package the shim process on it's own
but that'll come after this 18.09 release

Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
2018-09-10 09:10:37 +00:00
Sebastiaan van Stijn
cb95442fc7 systemd: set start burst limits
Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229
(6bf0f408e4)
both the old, and new location are accepted by systemd 229 and up, so using the old location
to make them work for either version of systemd.

StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230
(f0367da7d1)
both the old, and new name are accepted by systemd 230 and up, so using the old name to make
this option work for either version of systemd.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-08-31 15:19:15 +02:00
Sebastiaan van Stijn
e7ad8e2b28 systemd: add support for reloading daemon configuration through systemd
This adds support for reloading the docker daemon
(SIGHIUP) so that changes in '/etc/docker/daemon.json'
can be loaded at runtime by reloading the service
through systemd ('systemctl reload docker')

Before this change, systemd would output an error
that "reloading" is not supported for the docker
service;

  systemctl reload docker
  Failed to reload docker.service: Job type reload is not applicable for unit docker.service.

After this change, the docker daemon can be reloaded
through 'systemctl reload docker', which reloads
the configuration;

  journalctl -f -u docker.service

  May 02 03:49:20 testing systemd[1]: Reloading Docker Application Container Engine.
  May 02 03:49:20 testing docker[28496]: time="2016-05-02T03:49:20.143964103-04:00" level=info msg="Got signal to reload configuration, reloading from: /etc/docker/daemon.json"
  May 02 03:49:20 testing systemd[1]: Reloaded Docker Application Container Engine.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-08-31 15:11:28 +02:00
Sebastiaan van Stijn
f30757f439 systemd: set systemd KillMode
Change the kill mode to process so that systemd does not kill container
processes when the daemon is shutdown but only the docker daemon

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-08-31 15:11:21 +02:00
Sebastiaan van Stijn
26eddc16a8 systemd: add "Delegate=yes" to docker's service file
We need to add delegate yes to docker's service file so that it can
manage the cgroups of the processes that it launches without systemd
interfering with them and moving the processes after it is reloaded.

       Delegate=
           Turns on delegation of further resource control partitioning to
           processes of the unit. For unprivileged services (i.e. those
           using the User= setting), this allows processes to create a
           subhierarchy beneath its control group path. For privileged
           services and scopes, this ensures the processes will have all
           control group controllers enabled.

This is the proper fix for issue moby/moby#20152

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-08-31 15:11:16 +02:00
Sebastiaan van Stijn
7daf2db62a systemd: don't limit tasks
Systemd sets a default of 512 tasks, which is far
too low to run many containers.

Note that TasksMax is only supported on systemd 226
and above.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-08-31 15:11:11 +02:00
Sebastiaan van Stijn
80039b4699 systemd: set Limit* to infinity
There is a not-insignificant performance overhead for all containers (if
containerd is a child of Docker, which is the current setup) if systemd
sets rlimits on the main Docker daemon process (because the limits
propogate to all children).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-08-31 15:11:05 +02:00
Sebastiaan van Stijn
ef9ee10914 systemd: no limit on core size
set LimitCORE=infinity to ensure complete core creation,
allows extraction of as much information as possible.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-08-31 15:10:57 +02:00
docker-unir[bot]
ffc5810932 Merge pull request #168 from crosbymichael/prestart
Merged with https://github.com/seemethere/unir
2018-08-28 23:20:49 +00:00
Andrew Hsu
53343f1bf3 added RestartSec
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
(cherry picked from commit 51879873897afe298cbb736acef34b5a0b500424)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
2018-08-28 19:56:36 +00:00
Michael Crosby
0c8e758012 Add post-stop
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2018-08-28 13:51:21 -04:00
Eli Uriegas
e56475aa14 Set containerd to be a systemd bind for docker
The daemon won't actually start without containerd

Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
2018-08-20 21:17:32 +00:00
Eli Uriegas
cdb1e7033d Some changes to get this working on CentOS 7
Old versions of things on CentOS 7 strike again!

infinity is not a thing for TimeoutSec on systemd < 229

Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
2018-08-16 04:03:40 +00:00
Eli Uriegas
e086064b2c Revive pre / post steps, update offline location
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
2018-08-15 23:17:54 +00:00
Eli Uriegas
a5c809e809 Round out systemd for RPM packaging
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
2018-08-15 23:01:10 +00:00
Eli Uriegas
6cd66eaa2d Add systemd files, add containerd-proxy config
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
2018-08-14 20:30:22 +00:00
Dani Hodovic
adaed9b6f7
Update Github url for vim syntax plugin
Signed-off-by: Dani Hodovic <dani.hodovic@gmail.com>
2018-08-04 13:42:43 +07:00
Max Harmathy
28e93ed8ca
Allow socket activation
PartOf deactivates the socket whenever the service get deactivated. The socket unit however should be active nevertheless.

Signed-off-by: Max Harmathy <max.harmathy@web.de>
2018-07-16 14:36:02 +02:00
Mickaël Remars
2137e866b9 Removed the "-i -t" arguments from the smoke test calling printf (these flags seem not really needed, and break jenkins builds with error "the input device is not a TTY")
Signed-off-by: Mickaël Remars <github@remars.com>
2018-07-05 17:29:17 +02:00
Vincent Demeester
06dee4cc27
Merge pull request #37393 from mykeul/master
Added "--no-cache" to apk call to reduce alpine base image by 10-12% …
2018-07-05 15:06:21 +02:00
Mickaël Remars
e72047a375 Replaced "--update-cache" argument with "--no-cache" in apk call to reduce alpine base image by 10-12% (avoid useless indexes in /var/cache/apk)
Signed-off-by: Mickaël Remars <github@remars.com>
2018-07-04 23:34:30 +02:00
Ian Chen
a765210718 add vim-plug setting
this should work ( tried on my machine)

Signed-off-by: Ian Chen <ianre657@gmail.com>
2018-07-04 15:54:19 +08:00
Kunal Tyagi
6b8dab2181 Allow vim be case insensitive for D in dockerfile
Signed-off-by: Kunal Tyagi <tyagi.kunal@live.com>
2018-06-08 10:30:40 +09:00
Brian Goff
ddb01ee1e0 Remove contrib/project-stats.sh
This is an old script using tools that are no longer maintained or
recommended (and don't even work anymore).

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-05-04 16:33:44 -04:00
Brian Goff
eeea1e37a1 Removes custom selinux policies.
These are no longer used and instead users should use the
`container-selinux` package on their distribution. Additionally, these
are unmaintained and untested.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-05-04 16:33:44 -04:00
Brian Goff
1b7fe816e8 Remove unused/unmaintained package builder stuff
This is left-over stuff from building Docker pacakges. These aren't
really maintained outside of bumping the golang version, and are never
tested.

These builders can be found at
https://github.com/docker/docker-ce-packaging where they are kept up to
date.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-05-04 16:33:40 -04:00
Sebastiaan van Stijn
be8885525c
Bump Golang to 1.10.1, alpine 3.7
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-04-12 13:30:01 -07:00
Sebastiaan van Stijn
0b6f8a7eff
Update Golang to 1.9.5
go1.9.5 (released 2018/03/28) includes fixes to the compiler, go
command, and net/http/pprof package. See the Go 1.9.5 milestone on
the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.9.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-04-04 06:59:53 -07:00
Sebastiaan van Stijn
caeab26843
Bump Golang to 1.9.4
This fixes a vulnerability in `go get` (CVE-2018-6574, http://golang.org/issue/23672),
but shouldn't really affect our code, but it's good to keep in sync.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-02-07 14:49:51 -08:00
Sebastiaan van Stijn
3cc13511f0
Bump Go to 1.9.3
release notes: https://golang.org/doc/devel/release.html#go1.9.minor

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-01-22 13:40:19 -08:00
Christopher Jones
24da8a0ed4
[ci] use alternate bash comparison
The pattern `echo str | grep -qE pattern` likes to fail on the z CI here for
an unknown reason. Use `grep -qE pattern <<< str` instead.

Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
2018-01-12 11:05:20 -05:00
Dennis Chen
0af5db511e Download support of images with multi-arch manifest
Currently we only support 'application/vnd.docker.distribution.manifest.v2+json'
manifest images download, with more multi-arch images used, we need to support
download images with 'application/vnd.docker.distribution.manifest.list.v2+json'
format(aka "fat manifest"), else we will fail to download those multi-arch ones.

This PR adds 'application/vnd.docker.distribution.manifest.list.v2+json' manifest
support, thus we can download both multi-arch and legacy images.

Signed-off-by: Dennis Chen <dennis.chen@arm.com>
2017-12-14 05:37:22 +00:00
Sebastiaan van Stijn
d6e1cc32d3
Bump Go to 1.9.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-11-21 20:57:02 +01:00
Yong Tang
4785f1a7ab Remove solaris build tag and `contrib/mkimage/solaris
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-11-02 00:01:46 +00:00
Sebastiaan van Stijn
503fe408da
Bump Golang to 1.8.5
go1.8.5 (released 2017/10/25) includes fixes to the compiler, linker, runtime,
documentation, go command, and the crypto/x509 and net/smtp packages. It
includes a fix to a bug introduced in Go 1.8.4 that broke go get of non-Git
repositories under certain conditions. See the Go 1.8.5 milestone on our issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.8.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-10-27 01:18:00 +02:00
Michael Crosby
5a9b5f10cf Remove solaris files
For obvious reasons that it is not really supported now.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-10-24 15:39:34 -04:00
Andrew Pennebaker
2f5146ba1d support *.Dockerfile
Probably a good idea to treat `*.Dockerfile` as dockerfile format as well. In general, it's better to use the `Dockerfile` part as an extension rather than a basename.

Signed-off-by: Andrew Pennebaker <andrew.pennebaker@gmail.com>
2017-10-22 11:16:06 -05:00
Andreas Elvers
547dd4f95d fixing return value
Signed-off-by: Andreas Elvers <andreas@work.de>
2017-10-13 13:59:48 +02:00
Sebastiaan van Stijn
33e8141f63
Bump Go to 1.8.4
Bumps the Go version used to 1.8.4, which contains
security fixes; https://groups.google.com/forum/#!topic/golang-announce/1hZYiemnkdE

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-10-04 23:22:23 +02:00
Daniel Nephin
f7f101d57e Add gosimple linter
Update gometalinter

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-09-12 12:09:59 -04:00
Remy Suen
abd39744c6 Update tmLanguage file to not be case sensitive
While convention states that Dockerfile instructions should be
written in uppercase, the engine allows them to be mixed case or in
lowercase. The tmLanguage file should tolerate this and provide
highlighting support even if instructions are not written in
uppercase.

Signed-off-by: Remy Suen <remy.suen@gmail.com>
2017-08-05 19:45:54 +09:00
Derek McGowan
1009e6a40b
Update logrus to v1.0.1
Fixes case sensitivity issue

Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2017-07-31 13:16:46 -07:00
WENJUN TANG
fa900bd30a Update mkimage-yum.sh
If you want to makeimage using the group "Compute Node" and so on, you must add “ ” to include the $install_groups, or it will format the text as below:
yum -c /etc/yum.conf --installroot=/tmp/makeimage.sh.zOLs8y --releasever=/ --setopt=tsflags=nodocs --setopt=group_package_types=mandatory -y groupinstall Compute Node
That's absolutely incorrect.

Change-Id: I8b6b09f215aabd6b1f76c9365ba96c68722c47fd
Signed-off-by: dodia <tangwj2@lenovo.com>
2017-07-27 10:40:00 +08:00
Jacob Wen
238d17c456 Handle https proxy's CONNECT response
When using a https proxy, an extra HTTP 200 header will be generated.
So we can't rely on detecting the first http header.

$curlHeaders with https proxy:
"HTTP/1.0 200 Connection established  <-- the https proxy's response

HTTP/1.1 307 Temporary Redirect
...
"

See https://stackoverflow.com/a/34537988/889429

Fixes #34131

Signed-off-by: Jacob Wen <jian.w.wen@oracle.com>
2017-07-21 10:13:04 +08:00
Tianon Gravi
4bbdc0b8f7 Update "download-frozen-image-v2.sh" such that redirects are optional
If the registry responds directly with blob contents, use them,
otherwise follow the redirect without Authorization headers (which
likely aren't valid for the server being redirected to).

This preserves the basic structure of the previous output with up to one
additional progress bar per-layer (for the redirect request and then the
following blob request).

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
2017-06-22 15:54:50 -07:00
Alexander Midlash
5c38e4c16a Update downloader script, to ensure that Authorization header is not passed when downloading blobs.
Signed-off-by: Alexander Midlash <amidlash@docker.com>
2017-06-22 15:54:50 -07:00
Sebastiaan van Stijn
5f0062f0fa Merge pull request #33776 from thaJeztah/remove-deprecated-mkimage
Remove deprecated contrib/mkimage-xyz scripts
2017-06-21 22:41:48 -07:00
Sebastiaan van Stijn
d14fb3ac4e
Remove deprecated contrib/mkimage-xyz scripts
The contrib/mkimage-busybox.sh, contrib/mkimage-debootstrap.sh,
and  contrib/mkimage-rinse.sh were deprecated in commit
51f707cf9d, in favor of
their equivalents in contrib/mkimage/

Given that the deprecation warning has been in place
for over three years, it's save to now remove these.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-06-21 21:56:24 -07:00
Daniel Nephin
b877fc31c5 Remove pkcs11, libltdl-dev, and clang for osx.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-21 11:18:44 -04:00
Robert Schneider
23f0c20b02 Add option for architecture to mkimage-alpine.sh
Signed-off-by: Robert Schneider <mail@shakeme.info>
2017-06-15 15:52:25 +02:00
Robert Schneider
a89d282dbb Fix getopts in mkimage-alpine.sh
Signed-off-by: Robert Schneider <mail@shakeme.info>
2017-06-15 15:51:56 +02:00
Tibor Vass
b5579a4ce3 Remove docs (except docs/api), experimental/, contrib/completion, man/
They have been moved to github.com/docker/cli.

Signed-off-by: Tibor Vass <tibor@docker.com>
2017-06-14 03:14:46 +00:00
Sebastiaan van Stijn
2b8f0eef73 Update docs, completion scripts for disable-legacy-registry
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-06-12 11:04:37 +02:00
Eli Uriegas
b8bcf7005c Use internal systemd scripts for DEB packaging
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
2017-06-06 14:56:39 -07:00
Eli Uriegas
bb68bc5ae2 Add initial systemd scripts
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
2017-06-06 11:32:27 -07:00
vanderliang
cb502cd4e8 Fix downloading image fails when build docker
Generate a token for each download process to avoid token expired.

Closes: #33441

Signed-off-by: vanderliang <lansheng@meili-inc.com>
2017-05-31 14:21:32 +08:00
Brian Goff
0c7c900e9e Bump go to go1.8.3
Note that go1.8.2 contains a security fix (CVE-2017-8932).

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-05-30 10:15:59 -04:00
Vincent Demeester
08894a7f23 Merge pull request #33095 from chrisdias/chrisdias/multistagebuild
syntax highlighting: support FROM...AS for multi stage build
2017-05-24 11:35:17 -07:00
Sebastiaan van Stijn
4050e3061c Merge pull request #33167 from utzb/rpmbuilds
adding rpm builds for ppc64le and s390x
2017-05-24 17:24:23 +01:00
chrisdias
8523e9d108 Support FROM...AS syntax for multi stage build dockerfiles
Signed-off-by: chrisdias <cdias@microsoft.com>
2017-05-22 18:12:10 -07:00
Sebastiaan van Stijn
a30ef99e8d Merge pull request #33151 from nwt/push-foreign-layers
Add daemon option to push foreign layers
2017-05-17 02:04:31 +02:00
Noah Treuhaft
67fdf574d5 Add daemon option to push foreign layers
The --allow-nondistributable-artifacts daemon option specifies
registries to which foreign layers should be pushed.  (By default,
foreign layers are not pushed to registries.)

Additionally, to make this option effective, foreign layers are now
pulled from the registry if possible, falling back to the URLs in the
image manifest otherwise.

This option is useful when pushing images containing foreign layers to a
registry on an air-gapped network so hosts on that network can pull the
images without connecting to another server.

Signed-off-by: Noah Treuhaft <noah.treuhaft@docker.com>
2017-05-16 14:36:36 -07:00
Sebastiaan van Stijn
20255ade29 Merge pull request #32700 from jphuynh/more-maintainer-deprecation
MAINTAINER deprecation follow up. Relates to #25466
2017-05-13 17:28:52 +02:00
Brian Goff
c307f4521e Merge pull request #32437 from cpuguy83/container_selinux
Rely on container-selinux for centos/fedora25/rhel
2017-05-12 09:23:17 -04:00
Utz Bacher
539e976aa9 adding rpm builds for ppc64le and s390x
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Signed-off-by: Dominik Dingel <dingel@de.ibm.com>
Signed-off-by: Thorsten Winkler <thorsten.winkler@de.ibm.com>
Signed-off-by: Utz Bacher <utz.bacher@de.ibm.com>
2017-05-12 01:26:55 +02:00
Sebastiaan van Stijn
d8908c3467 Merge pull request #33049 from albers/completion-log-options
Update bash completion for log driver options
2017-05-12 01:02:34 +02:00
Sebastiaan van Stijn
33ebf32cb0 Merge pull request #33108 from justincormack/revert-seccomp-sockets
Revert "Block obsolete socket families in the default seccomp profile"
2017-05-12 00:30:08 +02:00
Madhu Venugopal
ff86a9196b Merge pull request #29030 from cpuguy83/go18_test
Update go to 1.8
2017-05-11 05:18:12 -07:00
Kenfe-Mickaël Laventure
71d29266ff Merge pull request #33044 from albers/completion-dm-storage-opts
Add bash completion for new devicemapper storage options
2017-05-10 17:59:56 -07:00
Brian Goff
470dfd69b3 Update golang to 1.8
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-05-10 20:06:27 -04:00
Sebastiaan van Stijn
2a7a938da4 Merge pull request #33045 from albers/completion--health-start-period
Add bash completion for `--health-start-period`
2017-05-10 15:54:43 +02:00
Justin Cormack
dcf2632945 Revert "Block obsolete socket families in the default seccomp profile"
This reverts commit 7e3a596a63.

Unfortunately, it was pointed out in https://github.com/moby/moby/pull/29076#commitcomment-21831387
that the `socketcall` syscall takes a pointer to a struct so it is not possible to
use seccomp profiles to filter it. This means these cannot be blocked as you can
use `socketcall` to call them regardless, as we currently allow 32 bit syscalls.

Users who wish to block these should use a seccomp profile that blocks all
32 bit syscalls and then just block the non socketcall versions.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-05-09 14:26:00 +01:00
Harald Albers
8f159358fb bash completion for stack deploy --prune
Signed-off-by: Harald Albers <github@albersweb.de>
2017-05-08 10:14:15 +02:00
Harald Albers
bad7d1fa2f Update bash completion for log driver options
Signed-off-by: Harald Albers <github@albersweb.de>
2017-05-05 16:52:33 +02:00
Harald Albers
cbf8c07e9e Add bash completion for --health-start-period
Signed-off-by: Harald Albers <github@albersweb.de>
2017-05-05 15:04:44 +02:00
Harald Albers
37747a0fce Add bash completion for new devicemapper storage options
Signed-off-by: Harald Albers <github@albersweb.de>
2017-05-05 14:31:22 +02:00
Brian Goff
adb2ddf288 Rely on container-selinux for centos/fedora25/rhel
RH now provides `container-selinux` which provides everything we need
for docker's selinux policy. Rely on `container-selinux` where
available, and `docker-engine-selinux` when not.

This still builds the `docker-engine-selinux` package and presumably
makes it available, but is no longer a requirement in the
`docker-engine` package preferring `container-selinux` instead.

`container-selinux` is available on fedora24, however the version that
is available does not set the correct types on the `dockerd` binary. We
can use `container-selinux` and just supplement that with some of our
own policy, but for now just keep using `docker-engine-selinux` as is.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-05-01 11:23:18 -04:00
Sebastiaan van Stijn
68a5336b61 Merge pull request #32882 from albers/completion-stack-ls--format
Add bash completion for `stack ls --format`
2017-04-27 15:13:05 -07:00
Sebastiaan van Stijn
294c9eab56 Merge pull request #32884 from albers/completion-system-df--format
Add bash completion for `system df --format`
2017-04-27 15:10:17 -07:00
Brian Goff
420b67f892 Merge pull request #32896 from albers/completion-attach
Add missing bash completion for `docker attach`
2017-04-27 13:57:27 -04:00
Brian Goff
6b5a02e95c Merge pull request #32887 from albers/completion-remove--init-path
Remove bash completion for `run|create --init-path`
2017-04-27 13:53:47 -04:00
Sebastiaan van Stijn
2881e2be58 Merge pull request #32883 from albers/completion-history--format
Add bash completion for `history --format`
2017-04-27 10:51:12 -07:00
Harald Albers
afbd5a79ca Add missing bash completion for docker attach
Signed-off-by: Harald Albers <github@albersweb.de>
2017-04-27 16:59:32 +02:00
Harald Albers
b7a32e1780 Remove bash completion for run|create --init-path
Signed-off-by: Harald Albers <github@albersweb.de>
2017-04-27 11:02:33 +02:00
Harald Albers
69a2ca0d44 Add bash completion for system df --format
Signed-off-by: Harald Albers <github@albersweb.de>
2017-04-27 10:29:19 +02:00
Harald Albers
c3e161fb52 Add bash completion for history --format
Signed-off-by: Harald Albers <github@albersweb.de>
2017-04-27 10:18:55 +02:00
Harald Albers
b065ed3ec2 Add bash completion for stack ls --format
Signed-off-by: Harald Albers <github@albersweb.de>
2017-04-27 10:01:17 +02:00
Flavio Crisciani
8dc8cd4719
Inroduce SWARM --data-path-addr flag
This new flag will allow the configuration of an interface that
can be used for data path traffic to be isolated from control
plane traffic. This flag is simply percolated down to libnetwork
and will be used by all the global scope drivers (today overlay)

Negative test added for invalid flag arguments

Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
2017-04-26 15:33:15 -07:00
Jean-Pierre Huynh
2c435ab8be MAINTAINER deprecation follow up. Relates to #25466
Signed-off-by: Jean-Pierre Huynh <jean-pierre.huynh@ounet.fr>
2017-04-18 16:44:33 -05:00
Harald Albers
ee785b1b98 Remove bogus statement from bash completion
Signed-off-by: Harald Albers <github@albersweb.de>
2017-04-18 10:50:02 +02:00
Brian Goff
b7794ac46f Merge pull request #32597 from albers/completion-service-logs
Bash completion treats `docker service logs` as stable
2017-04-13 09:29:16 -04:00
Harald Albers
47615c9b9b Bash completion treats service logs as stable
Implements the following new CLI features:
- service logs is no longer experimental
- service logs also accepts task IDs

Signed-off-by: Harald Albers <github@albersweb.de>
2017-04-13 09:58:31 +02:00
Corey Farrell
eede2056fe Fix bash-completion script.
bash-completion script for 'docker build --network' calls
__docker_plugins, the correct name for this function is
__docker_plugins_bundled.

Closes #32588

Signed-off-by: Corey Farrell <git@cfware.com>
2017-04-12 21:36:29 -04:00
yuexiao-wang
78b2c1a84a Fix inconsisticy for service logs
Signed-off-by: yuexiao-wang <wang.yuexiao@zte.com.cn>
2017-04-12 22:43:14 +08:00